Skip to content
This repository has been archived by the owner on Aug 26, 2021. It is now read-only.

Impossible to request certificate when ingress for path / exists #197

Open
tobilarscheid opened this issue Jun 1, 2017 · 6 comments
Open

Impossible to request certificate when ingress for path / exists #197

tobilarscheid opened this issue Jun 1, 2017 · 6 comments

Comments

@tobilarscheid
Copy link

tobilarscheid commented Jun 1, 2017
edited

Hi everyone,

we just faced the issue that it is impossible to request certificates with kube-lego when another ingress for the path / already exists. The /.well-known/acme path in the ingress created by kube lego is then not reachable. I know this is somewhat a limitation of kubernets-ingress, I was just curious if you guys consider this as a problem or not. In theory it might be possible for kube-legoto detect such situations and temporarily reconfigure the colliding ingress.

Regards,

Tobi
@munnerz
Copy link
Contributor

munnerz commented Jul 5, 2017

This shouldn't be the case - the 'longer' (aka more precise) path should be chosen when routing.

What ingress controller are you using?

@tobilarscheid
Copy link
Author

We are using the nginx ingress controller.

Why do you think the longer path should be chosen? This issue indicates behaviour in the case of having multiple ingresses for the same host is not defined by the kubernetes docs. Merging usually works fine, in the case I described above however it can become problematic.

@fascinatedcow
Copy link

I think the nginx ingresses get priority by name in this case. I worked around this by naming my ingress to something alphabetically later than kube-lego-....

@ankon
Copy link
Contributor

ankon commented Jul 6, 2017

I reported a possibly similar issue in the ingress project for the nginx controller, if you are using rewrite-target you might be affected by this: kubernetes/ingress-nginx#495

@paulwalker
Copy link

@fascinatedcow That did not work for me. Did the deployment name also follow kube-lego-...?

Can someone please educate me on how to tell or configure GCE vs Nginx ingress controllers?

@jihonrado
Copy link

I am experiencing the same issue. I have the following ingress for my web (mydomain.com):

...
spec:
  tls:
  - hosts:
    - mydomain.com
    secretName: domain-tls
  rules:
  - host: mydomain.com
    http:
      paths:
      - path: /
        backend:
          serviceName: web
          servicePort: 3000

that overrides the one that kube-lego creates (mydomain.com/.well-known/acme-challenge ):

...
spec:
  rules:
  - host: mydomain.com
    http:
      paths:
      - backend:
          serviceName: kube-lego-nginx
          servicePort: 8080
        path: /.well-known/acme-challenge

When I try to access mydomain.com/.well-known/acme-challenge, it takes me to my web instead of kube-legos nginx.

I tried renaming my web's ingress so that alphabetically is before kube-lego's one, but it does not work.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@paulwalker @munnerz @jihonrado @ankon @tobilarscheid @fascinatedcow